Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Newlines or "YAML encrypted blobs" fail to decrypt #239

Closed
diranged opened this issue Nov 23, 2020 · 1 comment · Fixed by #370
Closed

Newlines or "YAML encrypted blobs" fail to decrypt #239

diranged opened this issue Nov 23, 2020 · 1 comment · Fixed by #370
Labels
bug Something isn't working ToDo

Comments

@diranged
Copy link

We are trying to work around argoproj-labs/argocd-notifications#107. To do that, I tried to encrypt a multi-line blob:

slack:
  token: <insert token here>

When I took this blob and put it into the KMSSecret object, the controller failed to decrypt it:

2020-11-23T05:49:46.954Z	INFO	controllers.KMSSecret	fetching KMSSecret resources	{"kmssecret": "kube-system/mysecret"}
2020-11-23T05:49:47.049Z	ERROR	controllers.KMSSecret	failed to decrypt data	{"kmssecret": "kube-system/mysecret", "secret_name": "mysecret", "error": "failed to yaml parse: failed to unmarshal: yaml: unmarshal errors:\n  line 1: cannot unmarshal !!map into string"}
github.com/go-logr/zapr.(*zapLogger).Error
	/go/pkg/mod/github.com/go-logr/[email protected]/zapr.go:128
github.com/h3poteto/kms-secrets/controllers.(*KMSSecretReconciler).Reconcile
	/workspace/controllers/kmssecret_controller.go:72
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:244
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:218
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:197
k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1
	/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:155
k8s.io/apimachinery/pkg/util/wait.BackoffUntil
	/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:156
k8s.io/apimachinery/pkg/util/wait.JitterUntil
	/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:133
k8s.io/apimachinery/pkg/util/wait.Until
	/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:90
2020-11-23T05:49:47.049Z	ERROR	controller	Reconciler error	{"reconcilerGroup": "secret.h3poteto.dev", "reconcilerKind": "KMSSecret", "controller": "kmssecret", "name": "mysecret", "namespace": "kube-system", "error": "failed to yaml parse: failed to unmarshal: yaml: unmarshal errors:\n  line 1: cannot unmarshal !!map into string"}

After doing some testing, I found that virtually any secret that decrypts into anything that looks like YAML fails. For example, even encrypting "foo: bar" fails:

$ AWS_DEFAULT_REGION=us-west-2 aws_kms_encrypt "foo: bar"
AQICAHjXjb32Y6TlYg+cmslx4ZbGqqzlAk+...+376w6fOCGsRRY2tfKWOQ==

$ cat kmssecret.yaml 
apiVersion: secret.h3poteto.dev/v1beta1
kind: KMSSecret
metadata:
  name: mysecret
spec:
  region: us-west-2
  encryptedData:
    my_key: AQICAHjXjb32Y6TlYg+cmslx4ZbGqqzlAk+...+376w6fOCGsRRY2tfKWOQ==

2020-11-23T16:14:37.650Z	ERROR	controller	Reconciler error	{"reconcilerGroup": "secret.h3poteto.dev", "reconcilerKind": "KMSSecret", "controller": "kmssecret", "name": "mysecret", "namespace": "kube-system", "error": "failed to yaml parse: failed to unmarshal: yaml: unmarshal errors:\n  line 1: cannot unmarshal !!map into string"}
github.com/go-logr/zapr.(*zapLogger).Error
	/go/pkg/mod/github.com/go-logr/[email protected]/zapr.go:128
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:246
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:218
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker
	/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:197
k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1
	/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:155
k8s.io/apimachinery/pkg/util/wait.BackoffUntil
	/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:156
k8s.io/apimachinery/pkg/util/wait.JitterUntil
	/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:133
k8s.io/apimachinery/pkg/util/wait.Until
	/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:90

I would love to use this project - but we need it to be a little less concerned with the "final" contents of the secret data.... does this seem like an easy thing to fix?
@h3poteto h3poteto added ToDo bug Something isn't working labels Jan 7, 2021
@h3poteto
Copy link
Owner

Hmm... How did you encrypt my_key ? Did you use aws kms encrypt command?

h3poteto added a commit that referenced this issue Jun 2, 2021
@h3poteto
refs #239 Use plain text when parsing yaml is failed
8c82414
@h3poteto h3poteto mentioned this issue Jun 2, 2021
Merged
h3poteto added a commit that referenced this issue Jun 2, 2021
@h3poteto
refs #239 Add e2e test case for decrypt
ea7a753
h3poteto added a commit that referenced this issue Jun 3, 2021
@h3poteto
refs #239 Add e2e test case for decrypt
fd2608a
h3poteto added a commit that referenced this issue Jun 3, 2021
@h3poteto
Merge pull request #370 from h3poteto/iss-239
dafdfab 
refs #239 Use plain text when parsing yaml is failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working ToDo
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

refs #239 Use plain text when parsing yaml is failed h3poteto/kms-secrets
2 participants
@diranged @h3poteto